login about faq

Can you provide examples on how to configure allowed and required authentication methods in Tectia Server 6.x?

asked Dec 23 '10 at 23:53

SSH%20KB's gravatar image

SSH KB ♦
509249246237


In Tectia Server 6.x the authentication configuration is very flexible and enables many use cases. It is possible, for example, to require that some users must complete several authentication methods successfully to login while other users are allowed to login when one of the allowed authentication methods is completed successfully.

Different authentication configurations could be specified for each user if desired. However, in most setups it is possible to use a more scalable selector type to allow login in the <authentication-methods>.

Note that the order of the <authentication> elements on the same level is significant. The first matching authentication element will be used.

WARNING: If <authentication> element is specified with no authentication methods defined, the matching users will be allowed to login without authentication.

For more information on authentication methods and the configuration please see the Tectia Server Administrator's Guide, particularly section Configuring User Authentication Chains, the ssh-server-config man pages and ssh-server-config-example.xml example configuration file available in the Tectia Server distribution.

Example configuration in Unix

In this example use case administrators (as defined by selectors) are required to authenticate with both user certificate and then keyboard-interactive password in order to login and other users are allowed to login with traditional public key or keyboard-interactive password authentication.

cert-validation

The certificate validation configuration for user authentication is specified in <params> of ssh-server-config.xml, for example:

<params>
...
 <cert-validation>
  <ldap-server address="ldap.example.com" port="389" />
  <ca-certificate file="/etc/ssh2/employee-ca.crt" name="employee-ca" />
 </cert-validation>
</params>

The example certificate selector below assumes that only one Certification Authority (CA) is trusted for user authentication. If there are multiple trusted CA certificates, the name "employee-ca" can be used as selector to specify the appropriate CA for particular authentication element.

authentication-methods

When user "admin" or any privileged user (UID is 0) for example "root" attempts to login, the Tectia Server will offer first publickey authentication. If the user completes successfully publickey authentication with valid user certificate that matches to the user certificate selector then Tectia Server will offer keyboard-interactive password authentication and login is allowed if also this authentication method is completed successfully.

When any other user attempts to login the Tectia Server will offer both publickey authentication and keyboard-interactive password authentication. If the user completes successfully traditional publickey authentication or keyboard-interactive password authentication then login is allowed.

Note: The user authentication chain (nested authentication elements) will force the authentication methods to be required.
 <authentication-methods>
   <authentication name="requiredforadministratorsunix">

     <!-- Selectors defined here determine which users match to this
     authentication configuration and are offered the public-key 
     authentication method specified in this authentication element. Note
     that the following selectors are in OR relation. -->

     <selector>
       <user name="admin"/>
     </selector>
     <selector>
       <user-privileged value="yes"/>
     </selector>
     <auth−publickey />
     <authentication>

      <!-- The certificate selector below authorizes login to user account
      that matches the subject name Common Name field of the user's
      certificate. For example if subject name is "C=FI, O=Company, OU=IT,
      CN=admin" login is allowed to account "admin". The selectors here
      determine also which users are offered the keyboard-interactive password
      authentication specified in this authentication element. -->

      <selector>
        <certificate field="subject-name" 
        pattern="C=FI, O=Company, OU=IT, CN=%username%" />
      </selector>
      <authentication>
       <auth-keyboard-interactive>
        <submethod-password />
       </auth-keyboard-interactive>
      </authentication>
     </authentication>
   </authentication>

   <!-- To ensure that the application default authentication methods and
   allow rule is not used unintentionally, do not specify any selectors
   for the fallback authentication configuration. Note that authentication
   element without any selectors will always match so this has to specified
   after any same level authentication elements with selectors. -->

   <authentication name="companydefault">
     <auth-keyboard-interactive>
      <submethod-password />
     </auth-keyboard-interactive>
     <auth−publickey />
   </authentication>
 </authentication-methods>

Example configuration in Windows

In this example use case administrators (as defined by selectors) are required to authenticate with both keyboard-interactive password and then user certificate in order to login and other users are allowed to login with traditional public key or keyboard-interactive password authentication.

cert-validation

The certificate validation configuration for user authentication is specified in <params> of ssh-server-config.xml, for example:

<params>
...
 <cert-validation>
  <ldap-server address="ldap.example.com" port="389" />
  <ca-certificate file="C:\Program Files\SSH Communications Security\SSH 
  Tectia\SSH Tectia Server\employee-ca.crt" name="employee-ca" />
 </cert-validation>
</params>

The example certificate selector below assumes that only one Certification Authority (CA) is trusted for user authentication. If there are multiple trusted CA certificates, the name "employee-ca" can be used as selector to specify the appropriate CA for particular authentication element.

authentication-methods

When user whose name is or begins with "admin", for example "Administrator" attempts to login, the Tectia Server will offer first keyboard-interactive password authentication. If the user completes successfully keyboard-interactive password, then Tectia Server will offer publickey authentication. Login is allowed if also this authentication method is completed successfully and the valid user certificate matches to the user certificate selector.

When any other user attempts to login the Tectia Server will offer both publickey authentication and keyboard-interactive password authentication. If the user completes successfully traditional publickey authentication or keyboard-interactive password authentication then login is allowed. Note that domain users must authenticate with a native Windows authentication method such as GSSAPI or password (or alternatively keyboard-interactive password) in order to login.

Note: The user authentication chain (nested authentication elements) will force the authentication methods to be required.


 <authentication-methods>
   <authentication name="requiredforadministratorswin">

     <!-- Selector defined here determines which users match to this
     authentication configuration and are offered the keyboard-interactive 
     password authentication method specified in this authentication element.
     Note that the selector value is case insensitive by default. -->

     <selector>
       <user name="admin*" />
     </selector>
     <auth-keyboard-interactive>
      <submethod-password />
     </auth-keyboard-interactive>
     <authentication>
      <auth−publickey />
      <authentication>

       <!-- The certificate selector below authorizes login to user account
       that matches the subject name Common Name field of the user's
       certificate. For example if subject name is "C=FI, O=Company, OU=IT,
       CN=Administrator" login is allowed to account "Administrator". -->

       <selector>
        <certificate field="subject-name" 
        pattern="C=FI, O=Company, OU=IT, CN=%username%" />
       </selector>
      </authentication>
     </authentication>
   </authentication>

   <!-- To ensure that the application default authentication methods and
   allow rule is not used unintentionally, do not specify any selectors
   for the fallback authentication configuration. Note that authentication
   element without any selectors will always match so this has to specified
   after any same level authentication elements with selectors. -->

   <authentication name="companydefault">
     <auth-keyboard-interactive>
      <submethod-password />
     </auth-keyboard-interactive>
     <auth−publickey />
   </authentication>
 </authentication-methods>
link

answered Dec 23 '10 at 23:59

Alan%20-%20Tectia%20Support's gravatar image

Alan - Tectia Support ♦
236335

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×38
×4

Asked: Dec 23 '10 at 23:53

Seen: 6,528 times

Last updated: Mar 04 '11 at 02:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.